SIMPLEX LOCKS
An Illusion of Security
Original research and article
published in 2600, The Hacker Quarterly,
by Scott Skinner and Emmanuel Goldstein
Electronic form created by Magic Man
Courtesy of : -=Restricted -=Data -=Transmissions :
: :
: "Truth is cheap, but information costs." :
About this Article
==================
This article on Simplex locks was originally published in 2600
magazine, Volume 8, Number 3 (Autumn, 1991). This electronic form
has created for those people that do not have access to 2600 magazine
(or have never heard of it!). I HIGHLY suggest that you subscribe --
It's worth your while to support this magazine. A yearly home
delivered subscription is $21 for an individual, $50 for a corporate
subscription. Overseas it's $40 individual, $65 corporate. You can
reach 2600 on the net by writing mail to: 2600@well.sf.ca.us.
Subscription Correspondence can be sent to:
2600 Subscription Dept.
P.O. Box 752
Middle Island, NY
11953-0099
This is NOT the article in its entirety. I left out parts that I
felt were not of dire need, such as quotes from Simplex personel,
locksmiths, and Federal Express and other non-essentail information.
A few sentences have been reworded, and corrections have been made
that were pointed out in the next issue (Winter 1991/1992).
Here it is.. Share the knowledge.
-Magic
magic@atdt.org
Some Background on Simplex Locks
================================
No lock is one hundred percent secure. As any locksmith will tell
you, even the best lock can be opened if one wishes to invest the time
and resources. However, a good lock should at least be secure enough
to prevent the average person from compromising it. Common sense
dictates that a lock which can easily be opened by anyone is simply
not a safe lock to use.
While an average person may not have the necessary skills and
expertise to use a lock pick or a blowtorch, almost everyone has the
ability to count, and the ability to cound is all that is necessary
to compromise a Unican/Simplex pushbutton lock. In addition, one
needn't count very high. Only 1081 combinations are used, and in
most cases this number is reduced considerably.
Although Simplex claims that "thousands of combinations are
available," in truth only 1081 combinations are used. Another 1081
combinations are available in the guise of "high security half-step
codes." These are codes which require the user to push one or more
buttons only halfway. Because of the extreme difficulty in setting
and using these half-step codes, Simplex advises against their use,
and in most cases, does not even inform the user that these codes are
available. Naturally, the addition of 1081 combinations does not
make the lock considerably more secure. (If 2162 combinations seems
like a large number, consider that a $5 Master lock has 64,000.)
It has been found that nuberous organizations use Simplex locks as a
primary lock source. Among the guilty parties in the New York
metropolitan area are Federal Express, United Parcel Service (UPS),
Citicorp Center, John F. Kennedy International Airport, and the State
University of New York at Stony Brook. Others around the nation
include General Motors, the State Department, McDonald's, NSA, and
the University of Wisconsin.
The biggest offender is Federal Express, which uses Simplex locks on
over 25,000 dropboxes nationally. The dropboxes are particularly
insecure because Federal Express uses the same combination for all of
their dropboxes in every state on the east coast! So by opening one
dropbox, we now have access to thousands.
Access was also gained to a UPS dropbox -- in one shot. UPS did not
even bother to change the default combination which is set by
Simplex. And, just like Federal Express, UPS figures that a single
combination is good enough for every dropbox.
Hacking Simplex Locks
=====================
What follows is a list of all possible combinations for Simplex
locks. They have been divided into four groups acording to how many
pushbuttons are used. Listed after each group name is the total
number of combinations in the group. The numbers listed in
parentheses refer to pushbuttons that must be pressed together. If
you find that none of the combinations appear to open the lock, then
it may be a rare instance of a half-step code. In this case, only
the last number (or numbers if they are in parentheses) should be
pressed in HALFWAY and held while the knob or latch is turned.
Slowly press in the pushbutton(s) until you feel pressure. If you
hear a click then you have pushed the buttons in too far. If all of
this sounds complicated, then you are beginning to understand why it
is that Simplex does not recommend the use of half-step codes, and
subsequently why half-step codes are virtually never used.
Simplex locks come in many different shapes, sizes, and colors.
However, the two models that you will most likely see are the 900 and
the 1000 series. The characteristic features of the 900 series are
five black buttons spaced in a circular fashion on a round, metallic
cylinder. In addition, the 900 series utilizes a latch instead of a
doorknob. The 1000 series is much larger, with five (usually
metallic) pushbuttons spaced vertically on a rectangular metal
chassis. Unlike the 900 series, the 1000 has a doorknob.
It is suggested that novices attempt their first hack on a Simplex
900 model. If the latch is located below the buttons, then the
procedure is as follows: 1) turn the latch counterclockwise to reset
the lock; 2) enter a combination from the list; 3) turn the latch
clockwise to open. If the latch is located above the buttons then
simply reverse this procedure. Make sure that you reset the lock
after each try.
To hack a 1000 model, simply enter a combination from the list and
turn the knob clockwise. You will hear clicks as you turn the knob,
indicating that the lock has been reset. It is sometimes difficult
to tell when you have cracked a 1000 model by simply turning the
knob. When you do get the correct code, you will hear a distinctive
click and feel less pressure as you turn the knob.
You will find that turning the latch on a 900 model requires less
wrist motion and makes much less noise than turning the knob on a
1000 model. These details seem trivial until you realize that you
may have to turn the latch or doorknob a few hundred times before you
crack the lock.
It can not be stressed enough how much easier it is when you know the
range. For instance, if you know that only three digits are being
used, then you do not have to waste time trying four digits. One way
to find out the range is to stand nearby while someone punches in the
code. You will hear distinctive clicks which will give you an idea
of the range. If you cannot stand nearby then try hiding a voice
activated tape recorder near the door. The tape recorder will remain
off until someone comes up to punch in the code. You can then
retrieve the recorder later at your convenience and listen for the
telltale clicks. It was found that this method only works in quiet
areas, such as the inside of a building. Another way to find out the
range is to take a pencil eraser and carefully rub off a tiny bit of
rubber on each of the pushbuttons. When someone comes to enter the
combination, they will rub off the rubber on all of the pushbuttons
that they use, while leaving telltale traces of rubber on the
pushbuttons that they do not use. This method works particularly
well because you eliminate pushbuttons, which drastically reduces the
number of combinations that must be tried.
It has been found that certain ranges tend to be used more than
others. Group B (three pushbuttons) tends to be used in "low
security areas," while Groups C and D tend to be used in areas which
seem like they should be more secure. A lock which uses a
combination from Group A has never been found. For some reason, the
1000 series mostly uses Group C (four pushbuttons). In addition,
most combiniations tend to be "doubles," which require at least two
of the pushbuttons to be pressed together. When you decide on a
particular range to start with, try the doubles first. For instance,
try "(12)345" before you try "12345." A lock which uses a triple,
quadruple, or all five pushbuttons pressed at the same time has never
been found.
Although a list of all the possible combinations is provided, you may
find it useful to invest some time and record these codes onto
cassette. This makes it much easier for one person to hack a Simplex
lock. A walkman looks far less conspicuous than sheets of paper
filled with numbers.
Finally, it is always good to take a few lucky shots before
initiating a brute force hack. Always try the default combination
"(24)3" before trying anything else. Above all, DON'T give up!
Even if you do not get the combination in ten minutes, you are still
that much closer to figuring it out. It is recommended that you do
not stress yourself out trying every combination in one shot. A few
minutes a day will do just fine, and the thrill of achievement will
be well worth the wait.
Changing Combinations on the 900 Series
=======================================
You may change combinations to any sequence you wish, using any or
all buttons, in any order, separately or pushed at the same time with
other buttons. You cannot use the same button more than once in a
combination.
1) With the door OPEN and the Simplex LOCKED, turn the FRONT CONTROL
KNOB (marked "Simplex") to the LEFT, and RELEASE. Push the EXISTING
combination and RELEASE the buttons.
2) Remove the screw in the Lock Housing with an Allen wrench.
Insert the wrench into the screw hole and depress button within.
Remove wrench.
3) Turn the front control knob (marked "Simplex") to the LEFT, and
RELEASE.
4) Press the buttons in the sequence desired for your new
combination. Record your new combination.
5) Turn the front control knob RIGHT. Your new combination is now
installed. Before shutting the door, try it to be sure you have
recorded it correctly. Replace the threaded screw in the Lock
Housing.
NOTE: If the front control knob opens the lock without pushing the
combination, steps 3, 4, and 5 were performed out of order and your
Simplex is in a "0" combination. To reinstall a combination, follow
the above steps above, but omit step #1.
All possible Simplex Combinations
=================================
Note: Numbers in parentheses should be pressed together
GROUP A: GROUP B: 423 (34)5 (234) 2354
35 130 425 (35)1 (235) 2413
431 (35)2 (245) 2415
1 123 432 (35)4 (345) 2431
2 124 435 (45)1 2435
3 125 451 (45)2 GROUP C: 2451
4 132 452 (45)3 375 2453
5 134 453 3(12) 2513
12 135 512 4(12) 1234 2514
13 142 513 5(12) 1235 2531
14 143 514 2(13) 1243 2534
15 145 521 4(13) 1245 2541
21 152 523 5(13) 1253 2543
23 153 524 2(14) 1254 3124
24 154 531 3(14) 1324 3125
25 213 532 5(14) 1325 3142
31 214 534 2(15) 1342 3145
32 215 541 3(15) 1345 3152
34 231 542 4(15) 1352 3154
35 234 543 1(23) 1354 3214
41 235 (12)3 4(23) 1423 3215
42 241 (12)4 5(23) 1425 3241
43 243 (12)5 1(24) 1432 3245
45 245 (13)2 3(24) 1435 3251
51 251 (13)4 5(24) 1452 3254
52 253 (13)5 1(25) 1453 3412
53 254 (14)2 3(25) 1523 3415
54 312 (14)3 4(25) 1524 3421
(12) 314 (14)5 1(34) 1532 3425
(13) 315 (15)2 2(34) 1534 3451
(14) 321 (15)3 5(34) 1542 3452
(15) 324 (15)4 1(35) 1543 3512
(23) 325 (23)1 2(35) 2134 3514
(24) 341 (23)4 4(35) 2135 3521
(25) 342 (23)5 1(45) 2143 3524
(34) 345 (24)1 2(45) 2145 3541
(35) 351 (24)3 3(45) 2153 3542
(45) 352 (24)5 (123) 2154 4123
354 (25)1 (124) 2314 4125
412 (25)3 (125) 2315 4132
413 (25)4 (134) 2341 4135
415 (34)1 (135) 2345 4152
421 (34)2 (145) 2351 4153
4213 (12)54 (35)41 3(25)4 41(23) (23)(15)
4215 (13)24 (35)42 4(25)1 45(23) (23)(45)
4231 (13)25 (45)12 4(25)3 51(23) (24)(13)
4235 (13)42 (45)13 1(34)2 54(23) (24)(15)
4251 (13)45 (45)21 1(34)5 13(24) (24)(35)
4253 (13)52 (45)23 2(34)1 15(24) (25)(13)
4312 (13)54 (45)31 2(34)5 31(24) (25)(14)
4315 (14)23 (45)32 5(34)1 35(24) (25)(34)
4321 (14)25 3(12)4 5(34)2 51(24) (34)(12)
4325 (14)32 3(12)5 1(35)2 53(24) (34)(15)
4351 (14)35 4(12)3 1(35)4 13(25) (34)(25)
4352 (14)52 4(12)5 2(35)1 14(25) (35)(12)
4512 (14)53 5(12)3 2(35)4 31(25) (35)(14)
4513 (15)23 5(12)4 4(35)1 34(25) (35)(24)
4521 (15)24 2(13)4 4(35)2 41(25) (45)(12)
4523 (15)32 2(13)5 1(45)2 43(25) (45)(13)
4531 (15)34 4(13)2 1(45)3 12(34) (45)(23)
4532 (15)42 4(13)5 2(45)1 15(34) (123)4
5123 (15)43 5(13)2 2(45)3 21(34) (123)5
5124 (23)14 5(13)4 3(45)1 25(34) (124)3
5132 (23)15 2(14)3 3(45)2 51(34) (124)5
5134 (23)41 2(14)5 34(12) 52(34) (125)3
5142 (23)45 3(14)2 35(12) 12(35) (125)4
5143 (23)51 3(14)5 43(12) 14(35) (134)2
5213 (23)54 5(14)2 45(12) 21(35) (134)5
5214 (24)13 5(14)3 53(12) 24(35) (135)2
5231 (24)15 2(15)3 54(12) 41(35) (135)4
5234 (24)31 2(15)4 24(13) 42(35) (145)2
5241 (24)35 3(15)2 25(13) 12(45) (145)3
5243 (24)51 3(15)4 42(13) 13(45) (234)1
5312 (24)53 4(15)2 45(13) 21(45) (234)5
5314 (25)13 4(15)3 52(13) 23(45) (235)1
5321 (25)14 1(23)4 54(13) 31(45) (235)4
5324 (25)31 1(23)5 23(14) 32(45) (245)1
5341 (25)34 4(23)1 25(14) (12)(34) (245)3
5342 (25)41 4(23)5 32(14) (12)(35) (345)1
5412 (25)43 5(23)1 35(14) (12)(45) (345)2
5413 (34)12 5(23)4 52(14) (13)(24) 4(123)
5421 (34)15 1(24)3 53(14) (13)(25) 5(123)
5423 (34)21 1(24)5 23(15) (13)(45) 3(124)
5431 (34)25 3(24)1 24(15) (14)(23) 5(124)
5432 (34)51 3(24)5 32(15) (14)(25) 3(125)
(12)34 (34)52 5(24)1 34(15) (14)(35) 4(125)
(12)35 (35)12 5(24)3 42(15) (15)(23) 2(134)
(12)43 (35)14 1(25)3 43(15) (15)(24) 5(134)
(12)45 (35)21 1(25)4 14(23) (15)(34) 2(135)
(12)53 (35)24 3(25)1 15(23) (23)(14) 4(135)
2(145) 21534 41325 (12)435 (35)142 1(25)34
3(145) 21543 41523 (12)453 (35)214 1(25)43
1(234) 23451 41532 (12)534 (35)241 3(25)14
5(234) 23415 42315 (12)543 (35)412 3(25)41
1(245) 23514 42351 (13)245 (35)421 4(25)13
4(235) 23541 42513 (13)254 (45)123 4(25)31
1(245) 23145 42531 (13)425 (45)132 1(34)25
3(245) 23154 42135 (13)452 (45)213 1(34)52
1(345) 24513 42153 (13)524 (45)231 2(34)15
2(345) 24531 43512 (13)542 (45)312 2(34)51
(1234) 24135 43521 (14)235 (45)321 5(34)12
(1235) 24153 43125 (14)253 3(12)45 5(34)21
(1245) 24351 43152 (14)325 3(12)54 1(35)24
(1345) 24315 43215 (14)352 4(12)35 1(35)42
(2345) 25134 43251 (14)523 4(12)53 2(35)14
25143 45123 (14)532 5(12)34 2(35)41
GROUP D: 25341 45132 (15)234 5(12)43 4(35)12
541 25314 45213 (15)243 2(13)45 4(35)21
25413 45231 (15)324 2(13)54 1(45)23
12345 25431 45312 (15)342 4(13)25 1(45)32
12354 31245 45321 (15)423 4(13)52 2(45)13
12453 31254 51234 (15)432 5(13)24 2(45)31
12435 31452 51243 (23)145 5(13)42 3(45)12
12534 31425 51324 (23)154 2(14)35 3(45)21
12543 31524 51342 (23)415 2(14)53 34(12)5
13452 31542 51423 (23)451 3(14)25 35(12)4
13425 32451 51432 (23)514 3(14)52 43(12)5
13524 32415 52314 (23)541 5(14)23 45(12)3
13542 32514 52341 (24)135 5(14)32 53(12)4
13245 32541 52413 (24)153 2(15)34 54(12)3
13254 32145 52431 (24)315 2(15)43 24(13)5
14523 32154 52134 (24)351 3(15)24 25(13)4
14532 34512 52143 (24)513 3(15)42 42(13)5
14235 34521 53412 (24)531 4(15)23 45(13)2
14253 34125 53421 (25)134 4(15)32 52(13)4
14352 34152 53124 (25)143 1(23)45 54(13)2
14325 34251 53142 (25)314 1(23)54 23(14)5
15234 34215 53214 (25)341 4(23)15 25(14)3
15243 35124 53241 (25)413 4(23)51 32(14)5
15342 35142 54123 (25)431 5(23)14 35(14)2
15324 35241 54132 (34)125 5(23)41 52(14)3
15423 35214 54213 (34)152 1(24)35 53(14)2
15432 35412 54231 (34)215 1(24)53 23(15)4
21345 35421 54312 (34)251 3(24)15 24(15)3
21354 41235 54321 (34)512 3(24)51 32(15)4
21453 41253 (12)345 (34)521 5(24)13 34(15)2
21435 41352 (12)354 (35)124 5(24)31 42(15)3
43(15)2 524(13) 231(45) (23)1(45) (123)54 24(135)
14(23)5 542(13) 312(45) (24)5(13) (124)35 42(135)
15(23)4 235(14) 321(45) (24)3(15) (124)53 23(145)
41(23)5 253(14) (12)(34)5 (24)1(35) (125)34 32(145)
45(23)1 325(14) (12)(35)4 (25)4(13) (125)43 15(234)
51(23)4 352(14) (12)(45)3 (25)3(14) (134)25 51(234)
54(23)1 523(14) (13)(24)5 (25)1(34) (134)52 14(235)
13(24)5 532(14) (13)(25)4 (34)5(12) (135)24 41(235)
15(24)3 234(15) (13)(45)2 (34)2(15) (135)42 13(245)
31(24)5 243(15) (14)(23)5 (34)1(25) (145)23 31(245)
35(24)1 324(15) (14)(25)3 (35)4(12) (145)32 12(345)
51(24)3 342(15) (14)(35)2 (35)2(14) (234)51 21(345)
53(24)1 423(15) (15)(23)4 (35)1(24) (234)15 (123)(45)
13(25)4 432(15) (15)(24)3 (45)3(12) (235)14 (124)(35)
14(25)3 145(23) (15)(34)2 (45)2(13) (235)41 (125)(34)
31(25)4 154(23) (23)(14)5 (45)1(23) (245)13 (134)(25)
34(25)1 415(23) (23)(15)4 3(12)(45) (245)31 (135)(24)
41(25)3 451(23) (23)(45)1 4(12)(35) (345)12 (145)(23)
43(25)1 514(23) (24)(13)5 5(12)(34) (345)21 (234)(15)
12(34)5 541(23) (24)(15)3 2(13)(45) 4(123)5 (235)(14)
15(34)2 135(24) (24)(35)1 4(13)(25) 5(123)4 (245)(13)
21(34)5 153(24) (25)(13)4 5(13)(24) 3(124)5 (345)(12)
25(34)1 315(24) (25)(14)3 2(14)(35) 5(124)3 (45)(123)
51(34)2 351(24) (25)(34)1 3(14)(25) 3(125)4 (35)(124)
52(34)1 513(24) (34)(12)5 5(14)(23) 4(125)3 (34)(125)
12(35)4 531(24) (34)(15)2 2(15)(34) 2(134)5 (25)(134)
14(35)2 134(25) (34)(25)1 3(15)(24) 5(134)2 (24)(135)
21(35)4 143(25) (35)(12)4 4(15)(23) 2(135)4 (23)(145)
24(35)1 314(25) (35)(14)2 4(23)(45) 4(135)2 (15)(234)
41(35)2 341(25) (35)(24)1 4(23)(15) 2(145)3 (14)(235)
42(35)1 413(25) (45)(12)3 5(23)(14) 3(145)2 (13)(245)
13(45)2 431(25) (45)(13)2 1(24)(35) 1(234)5 (12)(345)
12(45)3 125(34) (45)(23)1 3(24)(15) 5(234)1 (1234)5
21(45)3 152(34) (12)5(34) 5(24)(13) 1(235)4 (1235)4
23(45)1 215(34) (12)4(35) 1(25)(34) 4(235)1 (1245)3
31(45)2 251(34) (12)3(45) 3(25)(14) 1(245)3 (1345)2
32(45)1 512(34) (13)5(24) 4(25)(13) 3(245)1 (2345)1
345(12) 521(34) (13)4(25) 1(34)(25) 1(345)2 5(1234)
354(12) 124(35) (13)2(45) 2(34)(15) 2(345)1 4(1235)
435(12) 142(35) (14)5(23) 5(34)(12) 45(123) 3(1245)
453(12) 214(35) (14)3(25) 1(35)(24) 54(123) 2(1345)
534(12) 241(35) (14)2(35) 2(35)(14) 35(124) 1(2345)
543(12) 412(35) (15)4(23) 4(35)(12) 53(124) (12345)
245(13) 421(35) (15)3(24) 1(45)(23) 34(125)
254(13) 123(45) (15)2(34) 2(45)(13) 43(125)
425(13) 132(45) (23)5(14) 3(45)(12) 25(134)
452(13) 213(45) (23)4(15) (123)45 52(134)